Infosec from @rattis' point of view

Tag Archives: what to read

After Hurricane Maria hit Puerto Rico, and the U.S. Virgin Islands, the ARRL asked for volunteers. They were relaying the request from the American Red Cross. I wanted to volunteer, but I lacked all the requirements. I never used WinLink and I haven’t done much HF work. In fact the only HF work I’ve done was at Field Day 2 years ago. Though I am familiar with the National Traffic System and have even successfully sent traffic to the West coast, and got a response back through NTS. But my experience wasn’t good enough, so I thought I’d fix that.

TL;DR: Read Personal Emergency Communications (links below the fold), by Andrew Baze. It was good book.

Pros: It was well thought out, and taught me a few things I didn’t previously know. It also gave me some ideas of where to fix my own emergency planning, outside of communications and introduced me to things I didn’t have in the last power outage I went through.

Cons: It is a little dated, and I would really like to see an update to some sections. Such as eXRS and scanners.

The information is still great. It gets someone thinking about comms and how they matter. A lot of what is discussed here, could easily be carried over in to non-emergency situations and improve company communications during cyber incidents. Especially focusing the items in the first section of the book, such as knowing who to call, and having a calling clock as to when to call them.

The key concept is willing to take ownership of not just the successes but also the failures. The key example is the commanding officer, Jacko Willink, “publicly” accepting a horrible failure of a mission, as the ultimate owner of the failure even though several others who made mistakes offered to take the blame. At the the end of the mission it was him not making sure everything was done right that caused the problem, and he owned knowing it could cost him his career.

There are were other things covered. Topics through the book included planning. Keeping the plans simple. Empowering the teams to be able to decentralize their command structure. Lead from the top down and the bottom up. Having disciplined Standard Operating Procedures, that allowed the team in the combat zone the freedom to adjust to the current situation.

The biggest take away though was one scene when Lief Babin was involved in Hell Week, part of SEALs training. The section was on “there are no bad teams, just bad leaders”. The SEALs leading HELL week as trainers showed this by swapping the leaders of the winning and losing race teams. The leading one brought the losing team up to challenge his old team every race after.

The trick was setting way points in the course, and pushing them to each one. Don’t worry about the course as a whole, just the next goal, and let that build to the end.

The other thing I liked about the book, it would show the concept of the chapter in the battle area, broken down in principle, and then finished in a business environment.

The authors at the end said there is nothing really new in the book, just a new way of looking at the concepts. I know I followed some of the concepts in the past, and I picked up a few new ones to go forward with.

One I’ve put in to practice already is the concept of way points. While that wasn’t the goal of no bad teams just bad leaders, it did stick out. I’ve put it in to practice with my classes. While there is still a lot to go, I just have to go from way point to way point, and not worry about the next way point until I get to the one I’m heading for now. I don’t have to worry about the Degree at the end of my current program. Just the last 2 classes before I get to the degree. Of those, I only have to worry about the current class I’m in. Id on’t have to worry about all 12 weeks. Just the week I’m in. And break that week down in to manageable segments.

It’s a book written in the 90s looking at the history of pirates during the golden age. It talked about some of the romantic myths that raised up around the golden age, and how those myths came to be.

The book shows how pirates lived and died, the difference between Privateers and Pirates. How the line between the two types could be blurred. And, what eventually lead to the down fall of the golden age of piracy.

The most interesting case, though one of the smallest in the book was Captain Kidd. Who was commissioned as a Privateer (complete with letter of Marque), crossed in to Piracy to appease his crew, and paid the price for it at the end. The political intrigue was a nice twist in the rope too.

What really lead to the end of the golden age of piracy was Hunt Teams (multiple ships hunting the pirates down), clemency (though some pirates went back to their former ways), and visible reminders in ports of what happened to captured pirates. Countries not being at war led to some of the downfall too.

But the thing is, things had to change before piracy ended. The defenses put up around ports and along the gold trails didn’t do much to stop or deter the Privateers or Pirates going for the gold. For example, Henry Morgan’s attacks on Porto Bello, even though there were 3 castles protecting the place, it still fell to Morgan.

Ships carrying arms didn’t do much either, other than anger the pirates. It wasn’t until Naval vessels put on acts as either other Pirate Ships, or as merchant ships, that having armed sea going ships mattered.

The book did give some interesting history lessons, and gave some ideas that could be re-applied to cybersecurity to secure the Net Today. Think of the Internet as the Sea, and hackers as villainous pirates.

While a history book on pirates, it does give some ideas as to how to change how we’re doing InfoSec today. It was worth the time it took read, and gave some interesting thoughts on how to deal with the problems InfoSec faces today.

Anyway, this is the book I wish I had in January of 2016, when I moved from Incident Response / Event Analysis to Threat Intelligence. It’s a good primer on the subject. While it’s not completely new material, it’s the basics in one place. When I started doing TI, I had to learn from the ground up, and things were scattered. Some was easy, other parts were more advanced, and nothing made a good how to. Especially when I wanted to start showing value from the word go.

I think that if I had, had this book and read it when I was starting it would have been very beneficial. While it’s not as in depth as SANS For578, I do think that it would make a good primer for anyone in IR going to SANS for Cyber Threat Intelligence.

Just read, or re-read “Sailing the Sea of OSINT in the Information Age” by Stephen C. Mercado from the Studies in Intelligence Volume 48, number 3. I’ve had this for a while, I bought it 2013. Which is part of why I don’t remember if I read it before. It’s available from the CIA’s Library. It’s an article from the CIA’s Peer Reviewed Journal.

I found it very informative, even for something originally written in 2007. While today, I think most of us in IT, think of OSINT as mainly tracking social media accounts (what some call SOCINT), it really goes beyond it.

The main points that were brought up:

OSINT has been there for a very long time, since the beginning of Intelligence programs in the United States. It just hasn’t ever been formally given a department like others.

It’s based off public media like magazines, books, news papers, radio and TV broadcasts.

There are not enough people who understand foreign language / culture to get proper use out of OSINT.

There is things in the public space where OSINT lives that comes out better than in some of the other sources of intelligence. An example was information gathered by the Japanese about a former KGB officer. “The resulting book and Levchenko’s press conferences were, according to a US intelligence officer, more revealing than his CIA debriefing”.

Which oddly ties in to something I saw on my Firefox browser recently.

So I’m curious, do we as a mono-langauge culture really have the skills we need to do intelligence. How many data leaks are found on foreign language hacking forums?

The article is worth the read, and brings up some good questions. I liked Mercado’s recommendation on making the Foreign Broadcast Information Service an intelligence service again, put OSINT under it, like how the NRO has IMGINT, and create incentives for people to study things like language and culture to increase the ability of the agency.

I bought this book in December of 2013. I think started to read it, and lost interest / had other things come up. I recently picked this book up to read not that long ago, and went through it. Mike Roche, did a good job of breaking the book up in to parts. He uses his history in Law Enforcement to cover Mass Shootings, the signs, and how HR / Senior Leadership should handle the events leading up to a shooting.

I’ve stumbled around with Shodan.io for a while now. It’s a great tool, but using it effectively has always eluded me. John Matherly has given me some great advice on twitter, and I like Daniel Miessler’sShodan Primer. But I never really find the information I need at the time.

While I know it is great to find webcams and spying Super Gnomes, that is just something I don’t use Shodan for. A lot of the reason I use Shodan lately is for work. Usually someone in management asks will if anyone knows what Shodan knows about the company. Which of our systems are listed on there.

Today while stumbling around trying to look up the company name and the netblocks, and using Dan’s cheatsheet (linked above), I noticed a new link on the page. Book.

This link goes to Lean Pub’s “The Complete Guide to Shodan” by John Matherly. It is a pay what you want book. They suggest just under $5.00 USD, for the 60 page booklet. I’m saying it’s worth more than that. I paid $10.00, which I still think is too low for this book.

The book can be delivered to your Kindle or downloaded as a pdf, an Epub, or Mobi file. I grabbed the PDF and Kindle copies of the file (too small to read on my phone and never figured out how to get it to show up in the Kindle Cloud reader).

This book is divided up in to Web Interface, External Tools (like the linux command line), Developer API, Industrial Control Systems, Appendices, and Exercise Solution.

There are exercises at the end of the Web Interface, External Tools, and API sections. Not all of them worked the way they were described in the book. For example I couldn’t find the Rastalvskarn Powerplant, even though it shows up with the link in the solution section.

I’ve read some documents on the API and struggled to get them to work. After reading the book, while I still have some questions, I know I can write the Network Alert that management wants.

Get this book, it’s worth more than anything you’ll pay for it. While it is only just over 60 pages, the content is great! Especially especially the Filter list in Appendix B.

I just finished reading The Linux Journal’s “Geek’s Guide to Enterprise Monitoring Success“. It was good, talking about how to leverage the monitoring to work for the IT department in an organization. This also talked about some business problems you can face, which I’ve seen first hand. I’ve been in the “metrics from another group’s monitoring tools” meeting before. Trust me, you need to be sure of yourself and what you’re doing for the company before that happens. I’ve also seen monitoring systems destroyed because the wrong people had too much access and trying to tune the system for their needs only.

For what it was, this was a good guide. From the title though, I expected something different.

It really felt like a draft version of Rework. It was ok. There were some great quotes in the book from people who have used the same frame of thought to make a new company or run a business.

There were parts of the book that countered what I remembered from Rework (remember I read this book every other year), the biggest being how to deal with the competition, and seeing what they do. It felt that the two books were at odds on how to deal with the competition.

I would only recommend this book for the quotes, but think that Rework is the stronger and better of the two books to read.